11 February 2015

This was a really long winter break. The Sony hack is all water under the bridge now. The hackers have gone back to work, with a bang. 80 Million data sets lost. Anthem was hit particularly hard, and Anthem’s customers are hit by a wave of phishing emails.

The main question is always: How could it happen? And, what can be done to prevent such thefts in the future?

I found an interesting statement in a report published 2/4/2015 by Steve Ragan at CSO-Online:

“On January 27, 2015, an Anthem associate, a database administrator, discovered suspicious activity – a database query running using the associate’s logon information. He had not initiated the query and immediately stopped the query and alerted Anthem’s Information Security department. It was also discovered the logon information for additional database administrators had been compromised.”

This makes it clear: The attackers got access to at least the database login information of some database administrators. In addition, they had to steal some at least standard user credentials for access to company computers. This is required to start the database queries. The rest is easy!

Remind: Attackers can read in company networks like in an open book.

Once they got access to some computers, social engineering could be used to find information about the business critical databases. With an e.g. Oracle client and Microsoft Access as front end, they are able to read all data, even if the database is fully encrypted. In the case of an SQL-Server backend you do not even need a database client software installed because the ODBC driver is part of the Office installation.

The big problem is that any company workstation could be used to launch a query. Even if e.g. an Oracle client is not installed, an instant client, which could be installed by the user, is absolutely enough for access to the business critical data.

The attack surface is enormous. But it’s easy to shrink it. Most database providers offer whitelisting technologies to restrict access from computers to the database server. In the best case, only some application servers, backup systems and admin workstations must have access to the database. Include only this systems in the white list, and exclude all other computers in the black list. That’s it.

For Oracle, parameter TCP.INVITED_NODES specifies the white list, TCP.EXCLUDED_NODES the black list in the SQLNET.ora configuration file.

The only question remaining is: How could the attackers get access to the login credentials of the database admins and the standard users? Unfortunately I haven’t found any hints so far…

That’s it for today.